sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

Index: sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index c25d6cf61141fceb8c933b0581cf2c57ac5d7dd6..362c1b2a5afe8533beac375f19797d4c0d9ca4d2 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -28,6 +28,7 @@
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
+#include "base/synchronization/waitable_event.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
@@ -2145,6 +2146,51 @@ BPF_TEST_C(SandboxBPF, Pread64, TrapPread64Policy) {
 
 #endif  // !defined(OS_ANDROID)
 
+void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) {
+  base::WaitableEvent* event = static_cast<base::WaitableEvent*>(cond_ptr);
+
+  // Wait for the main thread to signal that the filter has been applied.
+  if (!event->IsSignaled()) {
+    event->Wait();
+  }
+
+  BPF_ASSERT(event->IsSignaled());
+
+  // Nanosleep is now blacklisted, so this should fail.

[jln (very slow on Chromium), 2014/08/20 21:34:20]

I would split that into a separate NanoSleepFails() function. You can call it on
the main thread (before the policy is applied) and check that it's false (to
test the function itself) and re-use it here and check that it returns true.

It's a detail, so up to you.

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+  const struct timespec ts = {0, 0};
+  errno = 0;
+  BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
+  BPF_ASSERT(errno == EACCES);
+
+  return NULL;
+}
+
+TEST(SandboxBPF, Tsync) {

[jln (very slow on Chromium), 2014/08/20 21:34:21]

We should not write tests that affects the current process (which can then run
other tests). Please, make this a SANDBOX_TEST instead
(sandbox/linux/tests/unit_tests.h).

Also using BPF_ASSERT would terminate the whole test suite if you're not inside
a SANDBOX_TEST.

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+  if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
+          SandboxBPF::STATUS_AVAILABLE) {
+    LOG(INFO) << "Skipping test: tsync unavailable";
+    return;
+  }
+
+  base::WaitableEvent event(true, false);
+
+  // Create a thread on which to invoke the blocked syscall.
+  pthread_t thread;
+  BPF_ASSERT_EQ(0,
+      pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
+
+  // Engage the sandbox.
+  SandboxBPF sandbox;
+  sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
+  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
+
+  // Signal the condition to invoke the system call.
+  event.Signal();
+
+  // Wait for the thread to finish.
+  BPF_ASSERT_EQ(0, pthread_join(thread, NULL));
+}
+

[jln (very slow on Chromium), 2014/08/20 21:34:20]

If you feel like writing more tests, I think a death test checking that we crash
when passing PROCESS_SINGLE_THREADED on a multithreaded process could be useful.

[Robert Sesek, 2014/08/21 16:50:18]

Depending on the discussion around the other comment regarding
SandboxThreadState, I'll do this.

 }  // namespace
 
 }  // namespace sandbox